4. Сотрудничество по принуждению

Many governments routinely compel companies to
assist them with surveillance. Telecommunications
carriers and Internet service providers are frequently
required to violate their customers' privacy — providing the government with email communications,
telephone calls, search engine records, financial
transactions and geo-location information.

the range of entities that can be compelled to assist in electronic surveillance by law enforcement 6

electronic communication under this chapter shall [. . . ] direct
that a provider of wire or electronic communication service,
landlord, custodian or other person shall furnish the applicant
forthwith all information, facilities, and technical assistance
necessary to accomplish the interception unobtrusively and
with a minimum of interference with the services that such
service provider, landlord, custodian, or person is according
the person whose communications are to be intercepted." See:
18 U.S.C. §2518(4).

and foreign intelligence investigators 7

section shall direct [. . . ] a specified communication or other
common carrier, landlord, custodian, or other specified per-
son [. . . ] furnish the applicant forthwith all information, fa-
cilities, or technical assistance necessary to accomplish the
electronic surveillance in such a manner as will protect its
secrecy and produce a minimum of interference with the ser-
vices that such carrier, landlord, custodian, or other person
is providing that target of electronic surveillance." See: 50
U.S.C. §1805©(2)(B).

are remarkably broad.8

can and have been compelled to violate their customers' pri-
vacy can be found in [17].

Examples of compelled assistance us-
ing these statutes include a secure email provider
that was required to place a covert back door in
its product in order to steal users' encryption keys
[2], and a consumer electronics company that was
forced to remotely enable the microphones in a suspect's auto-mobile dashboard GPS navigation unit
in order to covertly record their conversations [18].

even less important. The Chinese government, for
example, has repeatedly compelled the assistance
of telecommunications and technology companies in
assisting it with its surveillance efforts [19, 20].

be forced to assist governments in their surveillance
efforts, so too can SSL certificate authorities. The
compel led certificate creation attack is thus one in
which a government agency requires a domestic certificate authority to provide it with false SSL certificates for use in surveillance.

simple, and do not require extensive explanation.

9

compelling such CA assistance would almost certainly rely on
the assistance provisions highlighted earlier. However, it is
unclear if such compelled assistance would be lawful, due to
the fact that it would interfere with the CA's ability to provide identity verification services. Such compelled assistance
would also raise serious First Amendment concerns, due to
to the fact that the government would be ordering the CA to
affirmatively lie about the identity of a certificate recepient.

Each CA already has an infrastructure in place with
which it is able to issue SSL certificates. In this compelled assistance scenario, the CA is merely required
to skip the identity verification step in its own SSL
certificate issuance process.

a specific certificate for each website to be spoofed,
or, more likely, the CA can be forced to issue a intermediate CA certificate that can then be re-used an
infinite number of times by that government agency,
without the knowledge or further assistance of the
CA.

US National Security Agency (NSA) can compel
VeriSign to produce a valid certificate for the Commercial Bank of Dubai (whose actual certificate is
issued by Etisalat, UAE), that can be used to perform an effective man-in-the-middle attack against
users of all modern browsers.

Назад | Оглавление | Дальше